重新安装系统,极速安装版nginx-1.18.gmssl, 国密ssl正常可以用了。
下面是网站nginx 加了支持国密ssl的配置文件
- listen 80;
- listen 443 ssl;
- server_name xxx.cn;
- index index.php index.html index.htm default.php default.htm default.html;
- root /www/wwwroot/xxx.cn/web;
- #CERT-APPLY-CHECK--START
- # 用于SSL证书申请时的文件验证相关配置 -- 请勿删除
- include /www/server/panel/vhost/nginx/well-known/xxx.cn.conf;
- #CERT-APPLY-CHECK--END
- #配置国密证书
- #ssl_certificate /www/wwwroot/xxx.cn/cert/xxx.cn_sm2_enc.pem;
- #ssl_certificate_key /www/wwwroot/xxx.cn/cert/xxx.cn_sm2_enc.key;
- #ssl_certificate /www/wwwroot/xxx.cn/cert/xxx.cn_sm2_sign.pem;
- #ssl_certificate_key /www/wwwroot/xxx.cn/cert/xxx.cn_sm2_sign.key;
- #配置国际证书
- ssl_certificate /www/wwwroot/xxx.cn/cert/cn/xxx.cn.pem;
- ssl_certificate_key /www/wwwroot/xxx.cn/cert/cn/xxx.cn.key;
- #设置ssl 的会话超时时间为 5 分钟
- ssl_session_timeout 5m;
- ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
- #配置ssl证书所需的加密套件
- ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH::AES128-SHA:DES-CBC3-SHA:ECC-SM4-CBC-SM3:ECC-SM4-GCM-SM3:ECDHE-SM2-WITH-SMS4-GCM-SM3:ECDHE-SM2-WITH-SMS4-SHA256:ECDHE-SM2-WITH-SMS4-SM3:SM2-WITH-SMS4-SM3:SM2DHE-WITH-SMS4-SM3!NULL:!aNULL:!MD5:!ADH:!RC4:!3DES:ECDHE-SM4-GCM-SM3:ECDHE-SM2-WITH-SMS4-CBC-SM3;
- # ssl_verify_client on;
- #强制https
- set $isRedcert 1;
- if ($server_port != 443) {
- set $isRedcert 2;
- }
- if ( $uri ~ /\.well-known/ ) {
- set $isRedcert 1;
- }
- if ($isRedcert != 1) {
- rewrite ^(/.*)$ https://$host$1 permanent;
- }
- #SSL-START SSL相关配置,请勿删除或修改下一行带注释的404规则
|
运维要高效,装宝塔
